• TECHNOLOGY

Ever since taking an interest Linux,
with the specific aim of better understanding and enhancing my personal
digital security, I have been fascinated by hacker conferences. As soon
as I learned of their existence, I made a point of keeping tabs on the
major conferences so I could browse through the latest videos in their
archive once each one wraps up.

I thought that was the closest I would get to such an event, but a
couple of weeks ago, I had the chance to attend one for the first time:
Chicago's THOTCON. While I'm definitely still swimming in all the
experiences I had, I wanted to share a few of my observations and
insights.

At this point I can practically hear you asking, "Wait, you said
hacker conference? For security?" So, before I go on, I should explain a
bit about the interrelationship between hacking and security.

Ebony and Ivory?

The information security, or InfoSec, field is built on hacking. Without
the latter, the former would be both impossible and pointless. This is
because there are two sides to hacking. The more sensationalized of the
two, often called "black hat" hacking, refers to malicious actors
breaching a system without authorization either for personal gain or
just to cause mayhem.

The far more common variety of hacking is "white hat" hacking, often
more formally known as "penetration testing," in which experienced,
professional hackers are hired by a company to hack it, without
inflicting any permanent damage, in order to audit the company's
security.

Obviously, there would be no need for white hat hackers if there were
no black hat hackers, but because the ranks of the white hats far
outnumber the black hats, we are able to enjoy what computers and the
Internet have to offer in relative security.

The other reason these two approaches are related is because they
depend on each other. In order for the white hats to fend off the black
hats, they need to understand the tactics of the black hats.
Correspondingly, the black hats can operate only where the white hats
have yet to probe. It's a perpetual cat-and-mouse game, but it's one we
have to play in order to make use of the modern Internet.

So what happens at a hacker conference? As I found out, quite a lot.
Mainly, though, leading figures in the hacking/security community give
presentations on their latest research so that attendees can hone their
craft. Like at any professional gathering, there's also a lot of
networking (literally as well as figuratively).

That might sound boring, but I can tell you from experience that it's
anything but! The professionals, both presenting and attending, are at
the leading edge of a field which -- as the recent global ransomware
attack demonstrated -- affects all of us every day.

A Whole New World

As I said, there was a lot to take in, but here are some of the aspects
of the hacker con experience that made an impression on me for one
reason or another.

The most immediate aspect that stood out to me was the sheer amount
of stimulation to be found there. In addition to a choice of three
simultaneously scheduled talks to attend at any given time, attendees
had the option of touring an exhibition room full of vendors,
participating in a lockpicking tutorial, socializing at a full bar (open
from 10 a.m.), or -- last but not least -- taking part in a con-wide
scavenger hunt that included debugging the conference badge and
deciphering hidden messages scattered throughout the area.

In short, there was so much to choose from that it was
overstimulating, but in a good way. Everywhere I looked, there was
something new to take in, and that's exactly why we were all there.

Another thing that impressed me was the considerable range in the
topics of the talks themselves. In just the presentations I saw, I heard
speakers delve into everything from current vulnerabilities in Internet
of Things devices to the philosophy of red team testing; from
evaluating your ideas and models by attacking them from the outside to
how the military is training soldiers to conduct hacking operations in
open, state-on-state warfare.

Some of the talks may not have been directly applicable to me, but
many of them were -- and all of them expanded my understanding and
appreciation for the work of the InfoSec community. Specifically, the
conference gave me a sense of what goes into the pipeline between
Internet services and my computer, providing a more holistic look at
security than simply locking down my system.

Linux Love

Less surprising, but still great to see, was the fact that there was so
much Linux at the con! It's only natural that Linux, an operating system
that lets you infinitely tweak and fine-tune your system, would be
popular among the tinkerers that are hackers. The configurability and
openness of Linux lends itself well to hacking, as hackers can wield
exactly the right tool for the job.

Far and away the favorite OS for hacking is Kali Linux, a
distribution armed to the teeth with network monitoring, forensics and
injection tools. Because hackers have a way of, shall we say,
"challenging" each other when assembled at an event like THOTCON, Linux
is often a preferred choice for ensuring access to a computer to
participate in the many puzzles and challenges offered.

One of the most encouraging things I encountered at the conference
was an approachable and open-minded attitude among the conference-goers.
People there were extremely open to sharing their knowledge and
expertise with others, and no matter what your experience level.
Everyone I met there had something to teach and something to learn.
There wasn't a conversation I participated in that didn't involve
everyone leaving better off.

Finally, one of the best experiences I had at THOTCON was seeing the
hacker community's very own hip hop act, Dual Core, perform during the
after-party. Besides being a treasured cultural artifact from the
community, the group's lyrics are sharp and they are very personable
with their fans, so they're definitely worth checking out.

This is definitely only a taste of the full hacker conference
experience, as even I was surprised by how much there was to see and do
in spite of my familiarity with the phenomenon. While THOTCON doesn't
record its talks, DEFCON and Hackers on Planet Earth (HOPE) post theirs
online, so if my account of my first con has you intrigued, look them up
and check them out for yourself.